forum.coppermine-gallery.net
Support => cpg1.4.x Support => Older/other versions => cpg1.4 miscellaneous => Topic started by: zapper on February 18, 2006, 08:05:59 pm
-
Thanks for the patch. I just noticed someone uploaded a file called:
jpg.php.rar
which is a phpshell program that looks like it has access to the server filesystem and can execute abitrary commands.
Just looking into it now but here is some info on the php script:
http://www.mnin.org/write/2006_uploadscripts.html#Martin_Geislers_PhpShell_
-
If you don't need to allow .rar uploads then disallow them in Coppermine's config or with the filetypes plugin. If you do need to allow them then ensure they are treated correctly by your webserver by adding this line into the .htaccess file in your albums directory.
AddHandler application/x-rar .rar
-
Unfortunately I didn't block file types, my mistake.
My host denied me access to my acount after someone uploaded the nstview script and used it to post an html file asking for personal financial information. They said they removed the html file, but I looked over the directory and the original offending RAR was still there. I noticed thumbs for 2 other rar files in the gallery. but the files don't exsit. They all had different names.
I had my gallery set to ask admin approval for uploads from everyone so I am kind of stumped as to how they got the file on there in the first place.
-
the file gets stored on the server immediately on upload, only it's visibility within coppermine needs admin approval. You have to make sure that no executables get uploaded in the first place, admin approval won't help in this case.
-
split unrelated reply to this thread into separate one (http://forum.coppermine-gallery.net/index.php?topic=30578.0)